| Age | Commit message (Collapse) | Author |
|---|
|
OK deraadt@, tb@, claudio@
|
|
Change distance sensor type to be displayed as meters with 3 decimals
instead of millimeters.
ok mpi@ kettenis@
|
|
the prefixlen is never bigger than 128 for inet6.
OK remi@
|
|
|
|
Found via snmpctl snmp walk 127.0.0.1 oid 1
OK claudio@
|
|
pledge cannot be used, nevertheless since we now have unveil available we can
use it to guarantee that in this particular case the snmpe process cannot
access the filesystem at all, therefore close a big attack vector and achieve
a great level of protection even without being able to use pledge.
prodded by deraadt@
|
|
read permissions, but once it reaches pledge(2) just before the main loop both
were already opened. Since snmpd(8) doesn't have a way to load or reload the
config file, not even through SIGHUP, then rpath promise is not needed.
The snmpe process cannot yet be pledged, but it doesn't need fs access so we
can disable the access through unveil("/", ""); unveil(NULL, NULL);
"looks right" to deraadt@
|
|
(and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
|
rtable 255 is a valid routing table or domain id that wasn't handled
by the ip[6]_mroute code or by snmpd. The arrays in the ip[6]_mroute
code where off by one and didn't allocate space for rtable 255; snmpd
simply ignored rtable 255. All other places in the tree seem to
handle RT_TABLEID_MAX correctly.
OK florian@ benno@ henning@ deraadt@
|
|
"looks good" gilles@ halex@
|
|
ok mpi@
|
|
ok claudio@ miko@
|
|
|
|
build and is still a work in progress. Tweaks and comments welcome.
|
|
ok claudio@
|
|
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.
While here also scramble pledge promises to their canonical form.
OK florian@
|
|
possible stack overflow due to recursion in ber_free_elements().
ok claudio@
|
|
ok claudio@
|
|
ok claudio@
|
|
This way the size is the same on all archs and 32bit should be good enough.
OK rob@
|
|
ok tb@, claudio@
|
|
|
|
api uses read and write buffers (byte streams) that are utilized by calling
applications which may or may not use sockets.
ok claudio@
buffer byte streams that applications then use for
|
|
ok claudio@, jca@
|
|
out of memory log_warn(). i.e. ("%s", __func__) instead of manual
function names and redundant verbiage about which wrapper detected the
out of memory condition.
ok henning@
|
|
calloc or strdup), we just need to log that we ran out of memory in a
particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
|
After the removal of fd-based read/writes I could have trimmed the code
further.
- no socket-based reads so ber_read() doesn't need to loop until it gets
the desired amount of data
- return either the requested amount of data or -1/ECANCELED, the caller
shouldn't have to handle partial reads itself
- inline ber_readbuf() into ber_read()
ok rob@ claudio@ tb@
|
|
running out of memory.
Next step, be correct *and* consistent.
ok dennis@ tb@ benno@ schwarze@
|
|
|
|
|
|
can call ber_readbuf() in all cases. This resolves a problem previously
encountered with SNMPv3 authentication, simplifies the code, and completes a
full synchronization of all ber instances.
Proposed by claudio@. Problematic use case in snmpd tested by sthen@ and me.
ldap(s) appear happy as well.
looks good to claudio@
|
|
|
|
|
|
|
|
and ypldap. This function is not called by snmpd. This is the penultimate
commit prior to full sync between these four consumers of ber.
|
|
with snmpd. More tweaks to come once things are fully synchronized.
Feedback from claudio and Robert Klein.
Ok claudio@
|
|
passwords. A similar fix was applied to snmpd in 2010 (rev 1.23).
Pointers from Reyk.
Ok claudio@
|
|
|
|
use a more general text for the sections, and avoid the catchup issue
that was trying to document how many there were;
ok benno rob
|
|
ok benno@, "sure" deraadt@
|
|
Thanks to otto@ for the initial diff.
OK benno@
|
|
Patch submitted by Nan Xiao, ok tb@ sthen@ millert@ deraadt@ jca@
|
|
for interface groups on the system. From Jan Klemkow.
|
|
ok jca@ claudio@
|
|
From Steve Arntzen
|
|
values above this can't be represented and ifHighSpeed must be used instead.
Problem reported by Arnaud BRAND, ok mpi
|
|
ok benno@
|
|
This implements RFC 3430, with the exception of processing multiple
incoming requests in parallel (Section 2.1). This required too much
code and is optional anyway.
Initial review by reyk@, very thorough reviews by jca@. Thanks!
OK jca@, gerhard@
|
|
|
|
This mechanism is already unused and annotated with lots of XXX's, no
need to keep it around. ok claudio@
|
